Let’s be real, cybersecurity compliance is massively complicated and really important when something goes wrong. Complying with cybersecurity laws has only become more challenging in the past few years as the U.S. federal government and the European Union have both accelerated their efforts to modernize cybersecurity legislation and regulations.
This accelerated pace of influence and involvement of governments worldwide is impacting all businesses that use software to operate (which is to say, all businesses). Not only because the government is being more prescriptive with the requirements that have to be met in order to operate a business but also because of the financial penalties involved with non-compliance.
This guide will help you understand how cybersecurity laws and regulations impact your businesses and how to think about cybersecurity compliance so you don’t run afoul of non-compliance fines.
What is cybersecurity compliance?
Cybersecurity compliance is the practice of conforming to established standards, regulations, and laws to protect digital information and systems from cybersecurity threats. By implementing specific policies, procedures, and controls, organizations meet the requirements set by various governing bodies. This enables these organizations to demonstrate their commitment to cybersecurity best practices and legal mandates.
Consider the construction of a house. Just as architects and builders follow blueprints and building codes to ensure the house is safe, sturdy, and functional, cybersecurity compliance serves as the “blueprint” for organizations in the digital world. These guidelines and standards ensure that the organization’s digital “structure” is secure, resilient, and trustworthy. By adhering to these blueprints, organizations not only protect their assets but also create a foundation of trust with their stakeholders, much like a well-built house stands strong and provides shelter for its inhabitants.
Why is cybersecurity compliance important?
At its core, the importance of cybersecurity compliance can be distilled into one critical aspect: the financial well-being of an organization. Typically when we list the benefits of cybersecurity compliance, we are forced to use imprecise ideas like “enhanced trust” or “reputational safeguarding,” but the common thread connecting all these benefits is the tangible and direct impact on an organization’s bottom line. In this case, it is easier to understand the benefits of cybersecurity compliance by instead looking at the consequences of non-compliance.
Direct financial penalties: Regulatory bodies can impose substantial fines on organizations that neglect cybersecurity standards. According to the IBM Cost of a Data Breach Report 2023, the average company can expect to pay approximately $40,000 USD in fines due to a data breach. The emphasis of this figure is that it is the average. A black swan event can lead to a significantly different outcome. A prime example of this is the TJX Companies data breach in 2006. TJX faced a staggering fine of $40.9 million after the exposure of credit card information of more than 45 million customers for non-compliance with PCI DSS standards.
Operational disruptions: Incidents like ransomware attacks can halt operations, leading to significant revenue loss.
Loss of customer trust: A single data breach can result in a mass exodus of clientele, leading to decreased revenue.
Reputational damage: The long-term financial effects of a tarnished reputation can be devastating, from stock price drops to reduced market share.
Legal fees: Lawsuits from affected parties can result in additional financial burdens.
Recovery costs: Addressing a cyber incident, from forensic investigations to public relations efforts, can be expensive.
Missed opportunities: Non-compliance can lead to lost contracts and business opportunities, especially with entities that mandate cybersecurity standards.
An overview of cybersecurity laws and legislation
This section will give a high-level overview of cybersecurity laws, standards and the governing bodies that exert their influence on these laws and standards.
Government agencies that influence cybersecurity regulations
Navigating the complex terrain of cybersecurity regulations in the United States is akin to understanding a vast network of interlinked agencies, each with its own charter to protect various facets of the nation’s digital and physical infrastructure. This ecosystem is a tapestry woven with the threads of policy, enforcement, and standardization, where agencies like the Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), and the Department of Defense (DoD) play pivotal roles in crafting the guidelines and directives that shape the nation’s defense against cyber threats.
The White House and legislative bodies contribute to this web by issuing executive orders and laws that direct the course of cybersecurity policy, while international standards bodies such as the International Organization for Standardization (ISO) offer a global perspective on best practices. Together, these entities form a collaborative framework that influences the development, enforcement, and evolution of cybersecurity laws and standards, ensuring a unified approach to protecting the integrity, confidentiality, and availability of information systems and data.
Cybersecurity and Infrastructure Security Agency (CISA)
Branch of Department of Homeland Security (DHS) that oversees cybersecurity for critical infrastructure for the US federal government
Houses critical cybersecurity services, such as, National Cybersecurity and Communications Integration Center (NCCIC), United States Computer Emergency Readiness Team (US-CERT), National Coordinating Center for Communications (NCC) and NCCIC Operations & Integration (NO&I)
International Organization for Standardization (ISO)
Develops and publishes international standards, including those related to information security
Roughly equivalent to NIST but for European countries
Influence extends beyond Europe in practice though not officially
European Union Agency for Cybersecurity (ENISA)
EU’s agency dedicated to achieving a high common level of cybersecurity across member states
Roughly equivalent to CISA but for European states
The Federal Bureau of Investigation (FBI)
Investigates cyber attacks, including those by nation-states, hacktivists, and criminals; investigations can set legal precedent
Leads National Cyber Investigative Joint Task Force (NCIJTF) to coordinate interagency investigation efforts
Collaborates with businesses, academic institutions, and other organizations to share threat intelligence and best practices through the InfraGard program
Federal Trade Commission (FTC)
Takes legal action against companies failing to protect consumer data
Publishes guidance for businesses on how to protect consumer data and ensure privacy
Recommends new legislation or changes to existing laws related to consumer data protection and cybersecurity
U.S. Secret Service
Investigates cyber crimes, specifically financial crimes; investigations can set legal precedent
Manages the Electronic Crimes Task Forces (ECTFs) focusing on cyber intrusions, bank fraud, and data breaches
National Security Agency (NSA)
Collects and analyzes signals intelligence (SIGINT) related to cyber threats
Established the Cybersecurity Directorate to unify foreign intelligence and cyber defense missions for national security systems and the defense industrial base (DIB)
Conducts extensive research in cybersecurity, cryptography, and related fields. Innovations and findings from this research often influence broader cybersecurity standards and practices
Department of Health and Human Services (HHS)
Enforces the Health Insurance Portability and Accountability Act (HIPAA) ensuring the protection of health information
Oversees the Office for Civil Rights (OCR) which enforces HIPAA’s Privacy and Security Rules
Food and Drug Administration (FDA)
Regulates the cybersecurity of medical devices, specifically Internet of Things (IoT) medical devices
Provides guidance to manufacturers on cybersecurity considerations for medical devices
Securities and Exchange Commission (SEC)
Requires public companies to disclose material cybersecurity risks and incidents
Enforces the Sarbanes-Oxley Act (SOX) implications for cybersecurity, ensuring the integrity of financial data
Federal Trade Commision (FTC)
Responsible for enforcing Children’s Online Privacy Protection Act (COPPA)
Enforce laws governing consumers’ privacy rights and sensitive consumer information
U.S. cybersecurity laws and standards to know
Navigating the complex web of U.S. cybersecurity regulations can often feel like wading through an alphabet soup of acronyms. We have tried to highlight some of the most important and give context on how the laws, standards and regulations interact, overlap or build on each other.
Comprehensive collection of security controls that many other laws and standards refer to as the baseline
Other compliance standards will refer to a subset of NIST 800-53, it is unlikely all controls will need to be met in many environments
Federal Information Security Management Act (FISMA)
Law that requires federal agencies and their contractors to implement comprehensive cybersecurity measures
Many of the standards and recommendations of the NIST Special Publication series on cybersecurity are a response to the mandate of FISMA
Federal Risk and Authorization Management Program (FedRAMP)
Standard for assessing security of cloud/SaaS products and services used by federal agencies
Certification is the manifestation of the FISMA law
Defense Federal Acquisition Regulation Supplement (DFARS)
Certification to prove that DoD contractors are in compliance with cybersecurity practices and processes required in DFARS
For many years DFARS was not enforced, CMMC is certification process to close this gap
SOC 2 (System and Organization Controls 2)
Compliance framework for auditing and reporting on controls related to the security, availability, confidentiality, and privacy of a system
Very popular certification for cloud/SaaS companies to maintain as a way to assure clients that their information is managed in a secure and compliant manner
Payment Card Industry Data Security Standard (PCI DSS)
Establishes security standards for organizations that handle credit cards
Must comply with this security standard in order to process or store payment data
Health Insurance Portability and Accountability Act (HIPAA)
Protects the privacy and security of health information for consumers
Must comply with this security standard in order to process or store electronic health records
NIST Cybersecurity Framework
Provides a policy framework to guide private sector organizations in the U.S. to assess and improve their ability to prevent, detect, and respond to cyber incidents
While voluntary, many organizations adopt this framework to enhance their cybersecurity posture
NIST Secure Software Development Framework
Standardized, industry-agnostic set of best practices that can be integrated into any software development process to mitigate the risk of vulnerabilities and improve the security of software products
More specific security controls than NIST 800-53 that still meet the controls outlined in the Control Catalog regarding secure software development practices
CCPA (California Consumer Privacy Act)
Statute to enhance privacy rights and consumer protection to prevent misuse of consumer data
While only application to business operating in California, it is considered the most likely candidate to be adopted by other states
Gramm-Leach-Bliley Act (GLBA)
Protects consumers’ personal financial information held by financial institutions
Financial institutions must explain their information-sharing practices and safeguard sensitive data
Sarbanes-Oxley Act (SOX)
Addresses corporate accounting scandals and mandates accurate financial reporting
Public companies must implement stringent measures to ensure the accuracy and integrity of financial data
Children’s Online Privacy Protection Act (COPPA)
Protects the online privacy of children under 13.
Websites and online services targeting children must obtain parental consent before collecting personally identifiable information (PII)
EU cybersecurity laws and standards to know
An international standard that provides the criteria for establishing, implementing, maintaining, and continuously improving a system
Roughly equivalent to NIST 800-37, the Risk Management Framework
Also includes a compliance and certification component; when combined with ISO/IEC 27002 it is roughly equivalent to FedRAMP
EU 881/2019 (Cybersecurity Act)
The law that codifies the mandate for ENISA to assist EU member states in dealing with cybersecurity issues and promote cooperation
Creates an EU-wide cybersecurity certification framework for member states to aim for when creating their own local legislation
NIS2 (Revised Directive on Security of Network and Information Systems)
A law that requires a high level of security for network and information systems across various sectors in the EU
A more specific set of security requirements than the cybersecurity certification framework of the Cybersecurity Act
An international standard that provides more specific controls and best practices that assist in meeting the more general requirements outlined in ISO/IEC 27001
Roughly equivalent to NIST 800-53, the Control Catalog
General Data Protection Regulation (GDPR)
A comprehensive data protection and privacy law
Non-compliance can result in significant fines, up to 4% of an organization’s annual global turnover or €20 million (whichever is greater)
How to streamline cybersecurity compliance in your organization
Ensuring cybersecurity compliance is a multifaceted challenge that requires a strategic approach tailored to an organization’s unique operational landscape. The first step is to identify the specific laws and regulations applicable to your organization, which can vary based on geography, industry, and business model. Whether it’s adhering to financial regulations like GLBA and SOX, healthcare standards such as HIPAA, or public sector requirements like FedRAMP and CMMC, understanding your compliance obligations is crucial.
While this guide can’t give prescriptive steps for any organization to meet their individual needs, we have put together a high-level set of steps to consider when developing a cybersecurity compliance program.
1. Determine which laws and regulations apply to your organization
US-only; if your business only operates in the United States then you only need to be focused on compliance with US laws
EU-only; if your business only operates in the European Union then you only need to be focused on compliance with EU laws
Global; if your business operates in both jurisdictions then you’ll need to consider compliance with both EU and US laws, as well as any other jurisdictions you operate in.
Financial Services; financial services firms have to comply with the GLBA and SOX laws but if they don’t process credit card payments they might not need to be concerned with PCI-DSS
E-commerce; any organization that processes payments, especially via credit card will need to adhere to PCI-DSS and attaining a SOC2 audit is often common.
Healthcare; any organization that processes or stores data that is defined as protected health information (PHI) will need to comply with HIPAA requirements
Federal; any organization that wants to do business with a federal agency will need to be FedRAMP compliant
Defense; any defense contractor that wants to do business with the DoD will need to maintain CMMC compliance
B2B; there isn’t a law that mandates cybersecurity compliance for B2B relationships but many companies will only do business with other companies that maintain SOC2 compliance
Data storage; if your organization stores data but does not process or transmit the data then your requirements will differ. For example, if you offer a cloud-based data storage service and a customer uses your service to store PHI, they are required to be HIPAA-compliant but you are considered a Business Associate and do not need to comply with HIPAA specifically. You should consult with your legal team to determine which data processing laws apply to your business.
Data processing; if your organization processes data but does not store the data then your requirements will differ. For example, if you process credit card transactions but don’t store the credit card information you will probably need to comply with PCI-DSS but possibly not GLBA and SOX
Data transmission; if your organization transmits data but does not process or store the data then your requirements will differ. For example, if you run an internet service provider (ISP) credit card transactions and PHI could traverse your network, HIPAA or PCI-DSS compliance is not your responsibility.
2. Conduct a gap analysis
Current State Assessment: Evaluate the current cybersecurity posture and practices against the required standards and regulations.
Identify Gaps: Highlight areas where the organization does not meet required standards.
These steps can either be done manually or automatically. Anchore Enterprise offers organizations an automated, policy-based approach to scanning their entire application ecosystem and identifying which software is non-compliant with a specific framework.
Risk-based Approach: Prioritize gaps based on risk. Address high-risk areas first.
Business Impact: Consider the potential business impact of non-compliance, such as fines, reputational damage, or business disruption.
4. Develop a compliance roadmap
Short-term Goals: Address immediate compliance requirements and any quick wins.
Long-term Goals: Plan for ongoing compliance needs, continuous monitoring, and future regulatory changes.
5. Implement controls and solutions
Technical Controls: Deploy cybersecurity solutions that align with compliance requirements, such as encryption, firewalls, intrusion detection systems, etc.
Procedural Controls: Establish and document processes and procedures that support compliance, such as incident response plans or data handling procedures.
Another important security solution, specifically targeting software supply chain security is a vulnerability scanner. Anchore Enterprise is a modern, SBOM-based software composition analysis platform that combines software vulnerability scanning with a monitoring solution and a policy-based component to automate the management of software vulnerabilities and regulation compliance.
Continuous Monitoring: Use tools and solutions to continuously monitor the IT environment for compliance. Auditing an IT environment once a year is no longer considered a best practice.
Regular Audits: Conduct internal and external audits to ensure compliance and identify areas for improvement.
Being able to find vulnerabilities with a scanner at a point in time or evaluate a system against specific compliance policies is a great first step for a security program. Being able to do each of these things continuously in an automated fashion and be able to know the exact state of your system at any point in time is even better. Anchore Enterprise is capable of integrating security and compliance features into a continuously updated dashboard enabling minute-by-minute insight into the security and compliance of a software system.
7. Document everything
Maintain comprehensive documentation of all compliance-related activities, decisions, and justifications. This is crucial for demonstrating compliance during audits.
8. Engage with stakeholders
Regularly communicate with internal stakeholders (e.g., executive team, IT, legal) and external ones (e.g., regulators, auditors) to ensure alignment and address concerns.
9. Review and adapt
Stay Updated: Regulatory landscapes and cybersecurity threats evolve. Stay updated on changes to ensure continued compliance.
Feedback Loop: Use insights from audits, incidents, and feedback to refine the compliance strategy.
How Anchore can help
Anchore is a leading software supply chain security company that has built a modern, SBOM-powered software composition analysis (SCA) platform that helps organizations meet and exceed the security standards in the above guide.
As we have learned working with Fortune 100 enterprises and federal agencies, including the Department of Defense, an organization’s supply chain security can only be as good as the depth of the data on their supply chain and the automation of processing the raw data into actionable insights. Anchore Enterprise provides an end-to-end software supply chain security system with total visibility, deep inspection, automated enforcement, expedited remediation, and trusted reporting to deliver actionable insights to make a software system compliant.